Legislative Alert: Canada-Europe Cybersecurity

Montreal, April 30, 2018 – In Canada, about 9,000 companies export to the European Union (EU). This represents $ 60 billion annually in revenues for goods and services. These numbers will increase as soon as the Canada-European Union Comprehensive Economic and Trade Agreement (CETA) is enforceable. To successfully integrate in Europe, these companies have adapted to EU regulations and standards in several areas, such as health, accountability, competitive transparency and the environment.

Today, Canadian exporters face a new challenge: to comply with the EU law on data protection and privacy for all individuals, a new piece of legislation that will soon transform the whole relationship between businesses and their customers. The General Data Protection Regulation (GDPR) just adopted by the 28-member countries of the European Union will enter into force on 25 May. This is a demanding, binding and compulsory regulation that applies to member countries, but also to all third countries that provide goods and services in the European territory

This regulation aims to give its citizens full control over how their personal data is used in the cyber space, and in the traditional paper format. From now on, users will have a right of access to their data, a right to be forgotten, a right to portability, a right of refusal, a right to be informed in case of leakage or transfer of data to a third party. In short, individuals will reclaim their identities.

New responsibilities

Companies operating within the European Union or dealing with European clients – regardless of their country of origin – will have to prove that they take full responsibility for the management of personal data according to the guidelines of the GDPR.

Financial penalties for non-compliance with the GDPR are severe. Non-compliance results in penalties of around 4% of annual global turnover for breaching GDPR or €20 million (whichever is higher). In addition, according to the regulations, criminal proceedings could be instituted against executives who refuse to comply.

Companies where the core activities involve regular and systematic monitoring (or processing sensitive data such as health) on a large scale will be required to designate a Data Protection Officer (DPO) who will be responsible for establishing a record of data processing activities, notifying users in the event of security breaches, mapping usage, and analyzing and integrate impacts on personal data from the design of a new product or service.

During the first year of implementation of the GDPR, it is expected that the EU will exert particular vigilance to the abuses of large companies. This will provide a temporary respite to micro-businesses that collect, store and use personal data to set up mandatory mechanisms such as consent and keeping a journal on the use of private data.

The GDPR does not involve the purchase of expensive technologies. “The mandatory elements of the GDPR are more governance than IT,” says John Reid, President and CEO of the Canadian Advanced Technology Alliance (CATAAlliance). “SMEs can very well comply by relying on their own human resources and without the assistance of law firms or IT or cybersecurity consulting firms. The European Union has developed support tools. “

The GDPR is not another obstacle for companies. On the contrary, the new regulation represents a competitive advantage. “For all intents and purposes, by complying with the GDPR, companies adopt the best practices in terms of security and privacy,” says Jean-Guy Rens, partner of Sciencetech and vice-president of CATA Alliance. “It is an option taken on the future development of companies. Indeed, the GDPR is an essential prerequisite for the deployment of the Internet of Things and the use of Big Data.”

Online documentation

The official text of the GDPR (256 pages) proposes a new legal framework for the protection of personal data, strengthening the rights of individuals and introducing new obligations for bodies (public administrations and private companies) that collect and store information nominative.

The European Union offers support tools for companies. Thus, in France, the National Commission for Informatics and Liberties (CNIL) proposes a modus operandi in six stages and a free open source software for assessing impacts on the management of personal data (https://www.cnil.fr/en/home). The CNIL also offers a toolkit for TPE-PME.

The Canadian Advanced Technology Alliance (CATAAlliance) is Canada’s One Voice for Innovation Lobby Group, and is crowdsourcing ideas and guidance from thousands of opt in members in moderated social networks in Canada and key global markets. (No Tech Firm Left Behind)